Click here to Skip to main content
15,881,715 members
Search within:


Articles / Web Development / ASP.NET
 
Article

Encrypt a Querystring with Expiration

Rate me:
Please Sign up or sign in to vote.
4.16/5 (6 votes)
22 Aug 2007CPOL2 min read 67.4K   575   35   11
Create a querystring that is encrypted and expires

Introduction

This is an enhancement and "mash" to several articles on encryption and changing passwords. The problem is that I needed something that is not only encrypted, but also easy to implement as well as something that expires.

Background

Several months ago, I implemented an application using the ASP.NET membership controls which are in Visual Studio 2005. Part of this implementation allows for password recovery. The problem that I was faced with is the password that goes back to the user is not only very strange but the whole process is a little cumbersome. After looking around on the Internet, I came across a way to reset the password based on pushing a link from an email. The problem with this approach is that if someone does not delete the email after using it or if someone can interpret the userid then the password could be reset without someone's permission or knowledge. That is why I created a small class that has solved these problems. In essence, it takes an encryption key along with the username and a time stamp and creates a URL with the encrypted key.

The decryption part takes the URL and using the encryption key verifies that the date and time stamp is still valid. If it is, then you can assume that this is the user within a period of a couple of minutes. I recommend setting the length to no more than 30 minutes, but it is configurable.

Inside this file, I have also attached a small sample application which shows how to implement this. Once you get the hang of it, you can use it for just about anything. If there is a better way or comments, then please let me know.

Using the Code

Download the code and open up the encryption class. It contains three properties and two public functions.

The properties are:

VB.NET
//
Public Property UserName() As String
    Get
        Return m_username
    End Get
    Set(ByVal value As String)
        m_username = value
    End Set
End Property

Public Property EncryptionKey() As String
    Get
        Return m_EncryptionKey
    End Get
    Set(ByVal value As String)
       m_EncryptionKey = value
    End Set
End Property
Public Property ExpireDateTime() As DateTime
    Get
       Return m_ExpireDateTime
    End Get
    Set(ByVal value As DateTime)
       m_ExpireDateTime = value
    End Set
End Property
//

The two public class are:

VB.NET
Public Function Encrypt() As String
    If String.IsNullOrEmpty(m_EncryptionKey) Then
        Throw New Exception("Encryption Key is Required")
    End If

    'Ensure that timeStampKey exists and update the expiration time.
    If String.IsNullOrEmpty(m_ExpireDateTime.ToString) Then
        Throw New Exception("Expiration Date is Required")
    End If
    Dim buffer() As Byte = Encoding.ASCII.GetBytes(serialize())
    Dim des As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
    Dim MD5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider
    des.Key = MD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(m_EncryptionKey))
    des.IV = IV
    Return Convert.ToBase64String(des.CreateEncryptor.TransformFinalBlock_
            (buffer, 0, buffer.Length))
End Function

Public Function Decrypt(ByVal EncryptedUsername As String) As String
    If String.IsNullOrEmpty(m_EncryptionKey) Then
        Throw New Exception("Encryption Key is not set")
    End If
    Try
        Dim buffer() As Byte = Convert.FromBase64String(EncryptedUsername)
        Dim des As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
        Dim MD5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider
        des.Key = MD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(m_EncryptionKey))
        des.IV = IV
        deserialize(Encoding.ASCII.GetString_
            (des.CreateDecryptor.TransformFinalBlock(buffer, 0, buffer.Length)))
        Return Encoding.ASCII.GetString(des.CreateDecryptor.TransformFinalBlock_
                (buffer, 0, buffer.Length))
   Catch ex As CryptographicException
        Throw New Exception("Crypto error")
   Catch ex As FormatException
        Throw New Exception("FormatExpection")
   End Try
End Function

Points of Interest

This code was taken from several different articles on this site and combined to create this class. These articles are as follows: Password Recovery and TamperProofQueryString along with some original code.

History

  • 08.22.2007 - Version 1 (Initial upload)

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
David Bauernschmidt
Web Developer
United States United States
I have worked for Fortune 500 company developing .NET, SAP and Oracle applications. I left the company to spend more time with my family and now work for a local government in Virginia developing web applications for them which is about 10 minutes from home.

I enjoy programming but enjoy my family even more.

Comments and Discussions

 
FirstPrev Next
GeneralPlease don't do this Pin
Ennis Ray Lynch, Jr.22-Aug-07 12:34
Ennis Ray Lynch, Jr.22-Aug-07 12:34 
Last Visit: 31-Dec-99 18:00     Last Update: 19-Apr-24 6:31Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 22 Aug 2007

Article Copyright 2007 by David Bauernschmidt
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-04-02:1